Traefik - proxy development server with self-signed SSL certificate

You want to check how (or if) your application works with SSL encryption without exposing it to the Internet? Use a self-signed SSL certificate with the Traefik proxy server inside the intranet (or other LAN with restricted access).

Start

Traefik is becoming more and more popular thanks to its configuration simplicity and rich features available out of the box. Here is how it can be used to ensure self-signed SSL certificate for selected application server.

Overview

Things to check before starting:

Your device - should have access to Development server using a custom domain name e.g. my.test, you can set it using the /etc/hosts file (on Unix systems), dnsmasq or directly in the network router, if you have access to its configuration (if you can't do that please read #Tips section to adjust your traefik.toml TLS configuration)

Development server - if necessary, adjust system firewall configuration and open the required ports (ports 4000 and 8080 should be available for Intranet/LAN connections)

Application server - make sure it works and is available from Development server on port 5000

Request to my.test:4000 made from Your device is supposed to go through the following path:

File structure

Self-signed certificate files

You will need a .key and .crt files. They can be generated for self-signed certificates using the openssl. If you don't have it already, please check on Google (brew install openssl for Mac OS X with Homebrew packages manager). With the openssl ready to use execute:

The only important question while running the openssl command is Common Name (e.g. server FQDN or YOUR name):. It should match the domain name of your server e.g. *.test or my.test (or any other that you can point to your server), wildcards (*) are allowed.

After preparing the certificate files, you must change their access rights.

chmod 644 cert.crt
chmod 600 cert.key

It's done, now you may proceed to the next step.

Traefik configuration traefik.toml

Most Traefik configurations will be placed inside the traefik.toml file. Here is the final result.

[frontends] - Frontends configuration, where frontend1 is the name (which can be changed at any time), entryPoints and backend keys link entry point with a backend for given frontend, rule tells Traefik which domains it should handle with that frontend

[[tls]] - Assign generated cert and key files to the selected entryPoint (which is httpSSL in this case)

It's Docker time

With traefik.toml in place it's time to go to the Docker configuration. The simplest (at least for me) solution is to write the docker-compose.yml file. Here's how it can look.

Application server address 192.168.0.16

It doesn't have to be your Development server IP visible on LAN. It can be also an internal IP visible from Docker which is usally something like 172.17.0.1. You should be able to check that using ifconfig (look for docker0 interface), in case you are using Docker for Mac you may also use host.docker.internalsee the docs.

Troubleshooting

Check the output after executing the docker-compose up command.

If you want to restart the created container with the new/changed configuration inside traefik.toml file, press Ctrl-c, and then execute docker-compose down && docker-compose up to make sure that old container has been properly destroyed.

502 Bad gateway instead of your requested/proxied content probably means that you have made a simple error in the traefik.toml configuration. Watch out for typos and renaming (if you choose to change some names).

Start with minimal modifications. Just copy and paste the example content to files and adjust only the URLs. Start it. You will be renaming everything (frontends, backends, entryPoints, containers, networks etc.) later, after the first successful start.

Some explanations regarding the Traefik log messages:

Serving default cert for request: ... - you probably give an incorrect FQDN when generating a self-signed certificate using openssl